Page 1 of 1

Cookie emergency.

Posted: Thu Jan 24, 2008 10:42 pm
by Mightywayne
Hello, everyone. As some of you know, I run a game. Recently I've gotten complaints that peoples' cookies have been expiring much earlier than they should be, and some people can't log in at all. My cookies are like this: (ps... where's the php tags? :()

Code: Select all

 
$randomcookiethinger = rand(1, 999999999999999);
setcookie(user, $randomcookiethinger, time()+1600, "", "");
 
The $randomcookiethinger is used to make sure they aren't editing cookie information.

My check to see if the cookie expired is:

Code: Select all

 
if (!isset($_COOKIE["user"]))
  die('<font color="red"><b><big>Error:</big></b></font><font color="black"><br><br>You must log in first!');
Do you have ANY idea what could be wrong?

Re: Cookie emergency.

Posted: Thu Jan 24, 2008 11:15 pm
by s.dot
User needs to go in quotation marks setcookie('user')

You're only storing an integer in the cookie?

Re: Cookie emergency.

Posted: Thu Jan 24, 2008 11:21 pm
by Mightywayne
Oi... a little after posting, I did try the quotation marks. (keep in mind I've been running the game fine, and 10-20 people have been logging in fine, for a while) A girl experiencing the problem said it still persisted. =/

And yes, I am, but that's when I was a noob. I didn't know about md5 and stuff, I suppose I should for security's sake, go back and super-encrypt that. Got a good suggestion for that?

Re: Cookie emergency.

Posted: Fri Jan 25, 2008 12:38 am
by Chris Corbyn
Mightywayne, the PHP tags are here... just type

Code: Select all

 to start code, then end with [/ php] ;)

Re: Cookie emergency.

Posted: Fri Jan 25, 2008 9:58 am
by Mightywayne
Erm, alright, thanks.

Anyone have any other possible solutions? =/

Re: Cookie emergency.

Posted: Fri Jan 25, 2008 6:49 pm
by Mightywayne
Okay, I think it might have to do with the fact that I've .httaccess'd my website to remove the www.

No matter what, you simply can't "get" to www. domain. I removed that due to complications in the forums and it's ugly anyway, is there a way to get around that when setting a cookie?

Re: Cookie emergency.

Posted: Sat Jan 26, 2008 5:05 am
by JAM
Mightywayne wrote:Okay, I think it might have to do with the fact that I've .httaccess'd my website to remove the www.

No matter what, you simply can't "get" to www. domain. I removed that due to complications in the forums and it's ugly anyway, is there a way to get around that when setting a cookie?

Code: Select all

 
setcookie(user, $randomcookiethinger, time()+1600, "", ".youdomain.com");
 
Be sure to use the 2 dots in the domainname. That should work for both http://www.youdomain.com/exemplepage.php and http://youdomain.com/exemplepage.php.

Re: Cookie emergency.

Posted: Sat Jan 26, 2008 9:46 am
by Mightywayne
This is getting a bit ridiculous. I'm seriously trying everything, I've tried putting user in quotes, taking it out, doing those both with no domain or path, vice versa...

Is there an alternative to the cookie system? I know there's sessions, but would they even apply to what I want to do?

Re: Cookie emergency.

Posted: Sat Jan 26, 2008 10:27 am
by JAM
Yah, $_COOKIE = 'foo'; instead of setcookie()... But still same result.
Btw, it's not as simple as you missing a $ before user? Just making sure...

Code: Select all

 
// bad
setcookie(user, $randomcookiethinger, time()+1600, "", "");
// better
setcookie($user, $randomcookiethinger, time()+1600, "", "");

Re: Cookie emergency.

Posted: Sat Jan 26, 2008 10:48 am
by Mightywayne
Positive, man. I'm seriously trying everything. As before, MOST people could log in. And most people STILL can, but now the girl that originally reported it to me can't get in at *all*, and there was another case of this happening to another guy, too.

Maybe if I post every damn thing to you, you will notice a flaw...

Code: Select all

 
$randomcookiethinger = rand(1, 999999999999999);
 
mysql_query("UPDATE user SET securecookie = '$randomcookiethinger' WHERE username = '$username'");
 
mysql_query("UPDATE user SET inactivedays = 0 WHERE username = '$username'");
 
setcookie("newuser", $randomcookiethinger, time()+1600);
 
See that? It's the login script for when people FIRST log in. She see's the FIRST page, and then after navigating it, my included security.php file stops her, as if that first page she see's ever is the only one to have a good cookie.

Code: Select all

 
$userz = $_COOKIE['newuser'];
 
if (empty($userz))
{
 
  die('(message for not having a cookie)');
}
 
It's as if it's deleted or something. Any help would be appreciated... =/

Edit: And I just tried to keep it from making a new cookie with the refresh script (so every 25 minutes the user is not logged out) and still it didn't go. It has to be something with setting the actual cookie, but I'm stumped and I'm <span style='color:blue' title='I'm naughty, are you naughty?'>smurf</span> because I've been working on this for 2.5 hours now, when I could've spent time coding something important. :( Are sessions okay for what I want to do?

Re: Cookie emergency.

Posted: Sat Jan 26, 2008 11:01 am
by JAM
Sorry for the lack of support. Just shooting out ideas...

Whats the securecookie datafield for type in the database? As youre using rand() aswell as an unsigned INT can only be as large as 4294967295 you might get problems as described...

Re: Cookie emergency.

Posted: Sat Jan 26, 2008 11:04 am
by Mightywayne
It's alright, man, I'm glad someone's trying their best to help me.

It's an INT, with 30 slots for numbers in it. Is 4294967295 really the most it can be? I should probably note that whenever I do the rand(111111, 999999999) thing, the number always comes out negative. Could that be it?

Re: Cookie emergency.

Posted: Sat Jan 26, 2008 11:17 am
by JAM
I'd change the INT to a BIGINT. An unsigned BIGINT can be as big as 18446744073709551615 (ie. mt_rand(1, 18446744073709551615)). I bet thats the issue. Because occasionally the rand() script will strike a number within the INT's range, sometimes not...

If you create a table with an unsigned INT() and run the following on it you'll understand the error;

Code: Select all

insert into table values(1);
insert into table values(4294967295);
insert into table values(4294967296);
Result:

Code: Select all

1
4294967295
[color=#BF0000]4294967295[/color]
See the last value being bad...

And the rand() shouldn't come out negative. And also, Id use mt_rand().

Re: Cookie emergency.

Posted: Sat Jan 26, 2008 1:29 pm
by Mightywayne
Unfortunately, it didn't make them positive. :( But I do have sorta good news. It appears it's just an IE thing, and FireFox works much better for the game in general. Normally I'd care more, but 90% of my users use FireFox, and the problem was minute to begin with. I've also put cookies to simply never expire, and an option to turn it off.

Thanks a lot, you (and everyone else too) have been a great help.

Re: Cookie emergency.

Posted: Sat Jan 26, 2008 1:40 pm
by JAM
Well, hope it helped some.

Still interested if you changed the INT to BIGINT or if it was BIGINT from the start. Did you check it out? Just asking as followup for upcomming readers. :D